Ad Hoc Committee on Cybercrime
The open-ended Ad Hoc Committee to Elaborate a Comprehensive International Convention on Countering the Use of Information and Communications Technologies for Criminal Purposes (Ad Hoc Committee on Cybercrime) is an intergovernmental committee composed of experts and representatives of all regions mandated with drafting a new cybercrime convention. The committee was proposed by the Russian Federation and 17 co-sponsors in 2019 and established by the UN General Assembly (UN GA) Resolution 74/247 under the auspices of the Third Committee of the UN GA. The negotiations are text-based, meaning that the member states are drafting, formulating, and compromising on the treaty’s wording at the sessions.
The subject matter of the treaty
Negotiations on adopting a new convention on cybercrime have gained momentum. After the five sessions of the Ad Hoc Committee (AHC), the chair prepared a draft text of the convention (version as of 1 September 2023), based on the outcomes of two readings of the draft chapters during the fourth and fifth sessions, while also taking into account the outcomes of the second and third sessions. The convention has a preamble and nine chapters:
- I. General provisions
- II. Criminalization
- III. Jurisdiction
- IV. Procedural measures and law enforcement
- V. International cooperation
- VI. Preventive measures
- VII. Technical assistance and information exchange
- VIII. Mechanism of implementation
- IX. Final provisions
The draft convention captures alternatives in the use of some terms (e.g. cybercrime vs the use of ICTs for criminal purposes) proposed by delegations and does not yet address terminology entirely, as states earlier agreed to negotiate this at later stages once progress is made in discussing the substantive provisions (see ‘Open issues’ below). Thus, the scope of the convention, which will be defined by the terminology and approach agreed by states, is still to be negotiated.
During the sixth session, member states negotiated pending points of the draft, but did not achieve a consensus on the scope and terminology (learn more about ‘Key takeaways from the sixth UN session on cybercrime treaty negotiations’).
In plain language: the Ad Hoc Committee on Cybercrime is tasked with drafting a new cybercrime convention by February 2024. The work of the committee will be concluded once it presents a draft convention to the UN General Assembly at its 78th session in September 2024.
The organisational session was originally scheduled to take place in August 2020 but was postponed to 10–12 May 2021 in New York due to the impact of the COVID-19 pandemic. It was decided that the Ad Hoc Committee on Cybercrime shall convene at least six sessions, each lasting ten days, alternating between New York and Vienna.
After the six sessions, the AHC will convene its 7th concluding session from 29 January - 9 February 2024 in New York.
On substantive matters, the committee will first exhaust every effort to reach agreement by consensus. However, should a consensus prove not to be possible, the Bureau of the UN Office on Drugs and Crime (UNODC) will confirm that the decisions shall be taken by a two-thirds majority of the present voting representatives. The chair will then inform the Ad Hoc Committee on Cybercrime that every effort to reach a consensus has been exhausted.
The Ad Hoc Committee on Cybercrime elected its officers at its organisational session. The committee is chaired by Algeria, with 13 vice chairs: Egypt, Nigeria, China, Japan, Estonia, Poland, the Russian Federation, Dominican Republic, Nicaragua, Suriname, Australia, Portugal, and the USA. Indonesia was appointed as the committee’s rapporteur.
Involvement of other stakeholders
The chair may invite, as observers, global and regional intergovernmental organisations, representatives of UN bodies, and representatives of functional commissions of the Economic and Social Council (ECOSOC). Representatives of NGOs with ECOSOC consultative status may attend the sessions.
The chair and the UN Office on Drugs and Crime (UNODC) drew up a list, approved by member states, of relevant NGOs, civil society organisations, academic institutions, and private sector representatives with expertise in cybercrime who will be allowed to provide input as stakeholders.
Existing cybercrime instruments
One of the main questions about the negotiations under the UN auspices is how the new draft convention will interplay with existing major instruments – the Budapest Convention in particular.
The Budapest Convention, formally known as the Convention on Cybercrime, is the most comprehensive and widely accepted legally binding instrument on cybercrime, adopted by the Council of Europe (CoE) in November 2001 and entered into force on 1 July 2004. The convention includes a list of crimes that each signatory state must include in its law. In plain language, it requires the criminalisation of activities such as illegal hacking (including the production, sale, or distribution of hacking tools), acts relating to child pornography, and infringements of copyright and related rights.
The CoE has already adopted its first and second additional protocols. Namely, the First Additional Protocol to the Budapest Convention, which concerns the criminalisation of acts of a racist and xenophobic nature committed through computer systems. The protocol extends the scope of the Budapest Convention and covers offences of racist or xenophobic propaganda in its substantive, procedural, and international cooperation provisions. So far, 35 states have signed and ratified the protocol, while 10 have signed it but have not ratified it. The Second Additional Protocol to the Budapest Convention on enhanced cooperation and disclosure of electronic evidence responds to the challenges and complexity of obtaining evidence that may be stored in foreign or unknown jurisdictions. Namely, the protocol provides tools for direct cooperation with service providers and timely cooperation in emergencies or joint investigations while ensuring effective human rights protection. So far, 40 states have signed the second protocol, but only 2 have ratified it.
With 68 ratifications – 20 of which are not members of the CoE (including the USA, Japan, Australia, and, most recently, Argentina, Brazil, Cabo Verde, Peru, Colombia, and Ghana) – the Budapest Convention is de facto the accepted international agreement on combating cybercrime, which has inspired numerous regional and national cybercrime regulations.
States' drafting suggestions include provisions from other international conventions as consulting instruments.
The first is the UN Convention against Corruption (UNCAC), which obliges states to adopt preventative and punitive measures to combat corruption in both the public and private sectors. Essentially, the convention addresses international cooperation and obliges state parties to assist each other in legal assistance requests, including investigations, prosecutions, and judicial proceedings. It entered into force on 14 December 2005 with 189 state parties and 140 signatories. Most states that referred to UNCAC in their drafting suggestions stated that it should be used as a tool for coordinating international cooperation.
The second is the UN Convention on Transnational Organized Crime (UNTOC), which provides measures to combat transnational organised crime. It has three additional protocols that refer to the prevention of human trafficking and smuggling of migrants by land, sea, and air, while the third obliges states to implement measures against the illegal manufacture and traffick of firearms. It entered into force on 29 September 2003 with 190 state parties and 147 signatories.
Provisions from regional instruments were used as well. These include provisions from the African Union Convention on Cyber Security and Personal Data Protection (Malabo Convention), the Commonwealth of Independent States Agreement on Cooperation in the Fight Against Crimes in the Field of Information Technologies (Dushanbe Agreement), the Budapest Convention, mentioned earlier, and the Arab Convention on Combating Information Technology Offences, as well as recommendations of the Open-ended intergovernmental expert group to conduct a comprehensive study on cybercrime.
The next steps
The next step in the process is the concluding session of the AHC on Cybercrime, where states will vote over a final version of the convention. After the 6th session, the chair will also present compromise proposals on the pending provisions for the concluding 7th session to be held in New York from 29 January to 9 February 2024.